Hochul Proposes Statewide Cybersecurity Regulations for N.Y. Hospitals

New York Gov. Kathy Hochul has proposed statewide cybersecurity regulations for hospitals. Her fiscal 2024 budget includes $500 million in funding that healthcare facilities may apply to upgrade their technology systems to comport with the proposed regulations.

Hochul’s office said the proposed regulations aim to strengthen the protections on hospital networks and systems that are critical to providing patient care, as a complement to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule that focuses on protecting patient data and health records. 

Under the proposed provisions, hospitals would be required to establish a cybersecurity program and take proven steps to assess internal and external cybersecurity risks, use defensive techniques and infrastructure, implement measures to protect their information systems from unauthorized access or other malicious acts, and take actions to prevent cybersecurity events before they happen.

In a statement, State Health Commissioner James McDonald M.D., M.P.H, said, “Under Governor Hochul’s leadership, New York State has significantly enhanced its cyber defenses, which are critically important to our health care system. When we protect hospitals, we protect patients. These nation-leading draft cybersecurity hospital regulations build on the Governor’s state of the state priority by helping protect critical systems from cyber threats and ensuring New York’s hospitals and health care facilities stay secure.”

Additionally, the proposed regulations would require that hospitals develop response plans for a potential cybersecurity incident, including notification to appropriate parties. Hospitals will also be required to run tests of their response plan to ensure that patient care continues while systems are restored back to normal operations.

The proposed regulations mandate that each hospital’s cybersecurity program includes written procedures, guidelines, and standards to develop secure practices for in-house applications intended for use by the facility. Hospitals will also be required to establish policies and procedures for evaluating, assessing, and testing the security of externally developed applications used by the hospital.

The proposed regulations also require hospitals to establish a Chief Information Security Officer role, if one does not exist already, in order to enforce the new policies and to annually review and update them as needed. Additionally, the proposed regulations require the use of multi-factor authentication to access the hospital’s internal networks from an external network.

The $500 million in funding was included in the Governor’s FY24 budget and will be part of an upcoming statewide capital program call for applications, opening soon. These funds will spur investment in modernization of healthcare facilities as well as utilization of advanced clinical technologies, cybersecurity tools, electronic medical records, and other technological upgrades to improve quality of care, patient experience, accessibility, and efficiency.

If adopted by the Public Health and Health Planning Council this week, the regulations will be published in the State Register on Dec. 6, and undergo a 60-day public comment period ending on Feb. 5, 2024. Once finalized, hospitals will have a year to come into compliance with the new regulations.